Nmap Development mailing list archives
Nmap 4.85BETA10 released - needs testing!
From: Fyodor <fyodor () insecure org>
Date: Fri, 12 Jun 2009 22:21:39 -0700
Hi folks. I'm pleased to release 4.85BETA10, which contains an amazing number of changes for exactly 1 month of work. Just the CHANGELOG entries themselves are 330 lines long! New goodies include: o SCTP ping and port scanning support o Dramatic improvements to the default ping probes based on extensive empirical Internet research o New or substantially improved NSE scripts: http-iis-webdav-vuln, socks-open-proxy, http-open-proxy, imap-capabilities o Major NSE stability improvements o Major Ncat improvements (particularly to listen mode and EOF handling) o Zenmap goodies, such as being able to save the pretty network topology graph images. o More than 50 other significant bug fixes, new features, performance improvements, etc. (described below) And the really great news is that we're *VERY CLOSE* to our first stable release in 9 months! And the changes since 4.76 was released last year are huge. From this point on, we're ONLY planning to put in important bug fixes to help get things stable and ready for release. We'll soon open up a dev tree in SVN for other patches. So please test this sucker out! The more testing we get, the sooner we can release the stable version! If you find some good bugs this weekend, we're prepared to do a new release candidate build on Monday. You can download 4.85BETA10 in all the regular formats at the normal location: http://nmap.org/download.html Without further ado, here are the significant changes in this monster release: Nmap 4.85BETA10 [2009-06-12] o The host discovery (ping probe) defaults have been enhanced to include twice as many probes. The default is now "-PE -PS443 -PA80 -PP". In exhaustive testing of 90 different probes, this emerged as the best four-probe combination, finding 14% more Internet hosts than the previous default, "-PE -PA80". The default for non-root users is -PS80,443, replacing the previous default of -PS80. In addition, ping probes are now sent in order of effectiveness (-PE first) so that less effective probes may not have to be sent. ARP ping is still the default on local ethernet networks. [David, Fyodor] o Added SCTP port scanning support to Nmap. SCTP is a layer 4 protocol used mostly for telephony related applications. This brings the following new features: o SCTP INIT chunk port scan (-sY): open ports return an INIT-ACK chunk, closed ones an ABORT chunk. This is the SCTP equivalent of a TCP SYN stealth scan. o SCTP COOKIE-ECHO chunk port scan (-sZ): open ports are silent, closed ports return an ABORT chunk. o SCTP INIT chunk ping probes (-PY): host discovery using SCTP INIT chunk packets. o SCTP-specific IP protocol scan (-sO -p sctp). o SCTP-specific traceroute support (--traceroute). o The ability to use the deprecated Adler32 algorithm as specified in RFC 2960 instead of CRC32C from RFC 4960 (--adler32). o 42 well-known SCTP ports were added to the nmap-services file. o The server scanme.csnc.ch has been set up for your SCTP scan testing pleasure. See http://seclists.org/nmap-dev/2009/q2/0669.html. Part of the work on SCTP support was kindly sponsored by Compass Security AG, Switzerland. [Daniel Roethlisberger] o [NSE] Added http-iis-webdav-vuln.nse, which detects the recently discovered WebDAV unicode bug in MS IIS 5.1/6.0 web server which can allow arbitrary users to access password protected folders without authentication. See http://nmap.org/svn/scripts/http-iis-webdav-vuln.nse. [Ron] o The Nmap Reference Guide has been translated to German by Open Source Press and Indonesian by Tedi Heriyanto. You can now read it in 16 languages at http://nmap.org/docs.html. We're always looking for more translations of Nmap and it's documentation--if you'd like to help, see http://seclists.org/nmap-dev/2009/q2/0667.html. o Open Source Press completed and released the German translation of the official Nmap book (Nmap Network Scanning). Learn more at http://nmap.org/book/#translations. o [NSE] Added socks-open-proxy.nse for scanning networks for open SOCKS proxy servers. See http://nmap.org/nsedoc/scripts/socks-open-proxy.html. [Joao Correa] o [NSE] http-open-proxy.nse has been updated to attempt HEAD and CONNECT methods as well as previously supported GET method. It still tries to reach http://www.google.com through the proxy by default, but now also offers an argument for specifying a different URL. [Joao Correa] o [Ncat] There is a backwards-incompatible change in the way that listen mode works. The new default behavior is to accept only one connection, and quit when the connection ends. This was necessary to prevent data loss in some situations; some programs require Ncat to send an EOF before they flush their internal buffers and finish processing the last bit of data. See http://seclists.org/nmap-dev/2009/q2/0528.html for more information. Use the new -k or --keep-open option to get the old behavior, in which Ncat will accept multiple simultaneous connection, combine all their input, and accept more connections after a disconnection. [Daniel Roethlisberger, David] o Ncat handling of newlines on Windows has been improved. CRLF is automatically converted to a bare LF when input is from the console, but left untouched when it is from a pipe or a file. No newline translation is done on output (where it was being done before). This makes it possible to transfer binary files with Ncat on Windows without any corruption, while still being able to interactively ncat into UNIX shells and other processes which require bare newlines. Ncat clients now work the same way on UNIX and Windows in that respect. For cases where you do want \r\n line endings (such as connections to web and email servers or Windows cmd.exe shells), specify -C whether your client is running on UNIX or Windows. [David] o Nmap RPM packages (x86 and x86-64) are now built with OpenSSL support (statically linked in to avoid dependencies). They are also now built on CentOS 5.3 for compatibility with RHEL, Fedora, and other distributions. Please let us know if you discover any compatibility problems (or other issues) with the new RPMs. [Fyodor] o [Zenmap] The Topology tab now has a "Save Graphic" button that allows saving the current topology display as a PNG, postscript, PDF, and SVG image. [Joao Medeiros, David] o Changed the default UDP ping (-PU) port from 31338 to 40125. This appears to be a better port based on David's empirical testing. o [NSE] Added the imap-capabilities script, which uses the CAPABILITY command to determine the capabilities of a target IMAP mail server. A simple supporting IMAP library was added as well. See http://nmap.org/nsedoc/scripts/imap-capabilities.html. [Brandon] o [NSE] Brandon Enright from UCSD reports that, thanks to all the NSE fixes in this release, he no longer sees any Nmap crashes in his large scale scans. See http://seclists.org/nmap-dev/2009/q2/0639.html. o Zenmap now works on RHEL/CentOS since it no longer requires the hashlib library (which was introduced in Python 2.5, but RHEL 5 still uses 2.4) and removing the pysqlite2 requirement (RHEL does not offer that module). It is still desirable to have pysqlite2 when available, since it enables Zenmap searching and database saving features. [David] o Ncat can now send SSL certificates in connect mode for client authentication by using the --ssl-cert and --ssl-key options. The specified certificates are only sent when requested by the server. [Venkat] o Nmap can now handle -SP and -SA at the same time when running nmap as non-root or using IPv6. It now combines the two port lists [Josh Marlow] o [Ncat] SSL in listen mode now works on systems like BSD in which a socket inherits its blocking or non-blocking status from the listening socket. [David, Daniel Roethlisberger] o The --packet-trace/--version-trace options now shows the names of version detection probes as they are sent, making the version detection process easier to understand and debug. [Tom Sellers] o The GPG detached signatures for Nmap releases now use the more standard .asc extension rather than .gpg.txt. They can still be found at http://nmap.org/dist/sigs/ and the .gpg.txt versions for previous releases are still available for compatibility reasons. For instructions on verifying Nmap package integrity, see http://nmap.org/book/install.html#inst-integrity. [Fyodor] o [Zenmap] Fixed two bugs: 1) When two scans are performed in Zenmap and aggregated, the first one was being modified in the process, preventing you from doing diffs in the "compare scans" dialogue or properly saving the first scan individually. 2) If you start two scans, then the faster one finishes and you cancel and remove the slower one while still in progress, much of the results from both scans are lost. [Josh Marlow] o [Ncat] When connecting to an SSL service in verbose mode, Ncat now prints confirmation of the SSL connection, some certificate information, and a cert fingerprint. For example: SSL connection to 64.147.188.3:443. Electronic Frontier Foundation SHA-1 fingerprint: 28BE B476 2E49 7ED5 3A9B 4D79 AD1E 69A9 82DB C75A o [NSE] Clean up output (generally reducing default verbosity) for the p2p-conficker, smb-check-vulns, and http-iis-webdav-vuln scripts. In general, we don't ask scripts to report that a host is clean unless Nmap's verbosity level (-v) is at least one or two. [Ron, Fyodor] o [Zenmap] Added the -PS22,25,80 option found in the Quick Traceroute profile to some of the Intense scan profiles for improved host discovery. [Josh Marlow] o Fixed a bug with the --defeat-rst-ratelimit option which prevented it from working properly. See this thread: http://seclists.org/nmap-dev/2009/q2/0476.html. [Josh] o [Ndiff] Avoid printing a "Not shown:" line if there weren't any ports in the non-shown (extraports) list. [David] o [Ncat] Fixed Ncat compilation with versions of OpenSSL before 0.9.7. Previously it would fail in ncat_openssl.c with the message "structure has no member named `it'". The problem was reported by Jaroslav Fojtik. [David] o [NSE] Removed the packet.hextobin(str) and packet.bintohex(str) functions. They are redundant since you get the same functionality by calling bin.pack("H", str) and bin.unpack("H", str), respectively. [Patrick] o [NSE] Fixed the parsing of --script-args, which was only accepting alphanumeric characters and underscores in values. Now a key, value, or array value may be a sequence of any characters except '{', '}', ',', '=', and all space characters. You may overcome this restriction by using quotes (single or double) to allow all characters within the quotation marks. You may also use the quote delimiter inside the sequence so long as it is escaped by a backslash. See http://seclists.org/nmap-dev/2009/q2/0211.html. [Patrick] o [NSE] When a script ends for any reason, all of its mutexes are now unlocked. This prevents a permanent (and painful to debug) deadlock when a script crashes without unlocking a mutex. See http://seclists.org/nmap-dev/2009/q2/0533.html. [Patrick] o Fixed a bug wherein nmap would not display the post-scan count of raw packets sent during a SYN ping scan (-sP -PS). [Josh Marlow] o Changed the ICMP ping probes to use a random non-zero ICMP id. David's empirical testing found that some hosts drop probes when the ICMP id is 0 [Josh Marlow] o [NSE] Fixed a --script argument processing bug in which Nmap would abort when an expression matches a set of scripts which were loaded by other expressions first (a simple example is "--script default,DEFAULT". [Patrick] o [Zenmap] Operating system icons are now always loaded as PNGs, even on platforms which support SVG images. That is much faster, and Zenmap currently never scales the images anyway. [Josh] o [Ncat] The Nmap Windows uninstaller now removes the Ncat CA list (ca-bundle.crt) which has been installed since 4.85BETA9. [Jah] o Optimized some Nmap version detection match lines for slightly better performance. See http://seclists.org/nmap-dev/2009/q2/0328.html. [Brandon] o [NSE] Upon connection failure, a socket now immediately unlocks its "socket lock" to allow other pending socket connections to succeed sooner. This slightly improves scan speeds by eliminating the wait for garbage collection to free the resource. [Patrick] o [NSE] Corrected a bug in nse_nsock.cc that could result in a crash from the use of an invalid Lua state if a thread is collected due to timeout or other rare reasons. Essentially, the callbacks from the nsock library were returning to an already-collected Lua state. We now maintain a reference to the Lua State Thread in the nsock userdata environment table to prevent early collection. This is a temporary patch for the stable release pending a more detailed review of the NSE nsock library binding. [Patrick] o [NSE] When an NSE script in the database (script.db) is requested but not found on the filesystem, Nmap now prints a warning rather than aborting. We accidentally shipped with such a phantom script (smb-check-vulns-2.nse) in 4.85BETA8. [Patrick] o Fixed a bug where an ICMP echo, timestamp, or address mask reply could be matched up with the wrong ICMP probe if more than one ICMP probe type was being sent (as with the new default ping). This lead to timing calculation problems. [David] o Improved the host expression parser to better handle a few cases where invalid target specifiers would case Nmap to scan unintended hosts. See http://seclists.org/nmap-dev/2009/q2/0319.html. [Jah] o [Zenmap] Fixed a crash, introduced in 4.85BETA4, that happened when searching scan results by date. [David] The error message was: File "zenmapGUI\SearchGUI.pyo", line 816, in set_date TypeError: argument must be sequence of length 9, not 3 o Patched configure.ac to detect Lua include and library files in "lua5.1" subdirectories of /usr/include and the like. Debian apparently puts them there. We still check the likes of /usr/include/lua.h and /usr/include/lua/lua.h as well. [Jan Christoph Nordholz] o Improved nsock's fselect() to be a more complete replacement for select() on the Windows platform. In particularly, any or all of the FD sets can be null or empty descriptor sets. This fixes an error ("nsock_loop error 10022") which would occur when you ran ncat --send-only on Windows. [David] o The --with-openssl= directive now works for specifying the SSL location to the nsock library. It was previously not passing the proper include file path to the compiler. [Fyodor] o The --traceroute feature is now properly disabled for IPv6 ping scans (-6 -sP) since IPv6 traceroute is not currently supported. [Jah] o Fixed an assertion failure which could occur on at least SPARC Linux The error looked like "nsock_core.c:294: handle_connect_result: Assertion `0' failed. Aborted". [David Fifield, Fabio Pedretti] o Nmap's make install target now uses $(INSTALL) rather than cp to copy NSE scripts and libraries to ensure that file permissions are set properly. [Fyodor] o Improved the Oracle DB version detection signatures. [Tom Sellers] o [NSE] Remove the old nse_macros.h header file. This involved removing the SCRIPT_ENGINE_* status defines, moving the likes of SCRIPT_ENGINE_LUA_DIR to nse_main.h, removing the last remaining use of SCRIPT_ENGINE_TRY, and moving the FILES and DIRS defines to nse_fs.h. [Patrick] o Cleaned up the libpcre build system a bit by removing Makefile.am and modifying configure.ac to prevent unnecessary removal of pcre_chartables.cc in some instances. [Fyodor] o Fixed a bug which would cause Nmap to sometimes miscount the number of hosts scanned and produce warnings such as "WARNING: No targets were specified, so 0 hosts scanned" when --traceroute and -sP were combined. [Jah] o Changed Nmap and Ncat's configure.ac files to check in more situations whether -ldl is required for compilation and add it where necessary. [Fyodor] o When building Nmap RPMs using the spec file, you can now pass in an openssl argument, the contents of which are passed to ./configure's --with-openssl option. So you can pass rpmbuild an option such as --define "openssl /usr/local/ssl". [Fyodor] o Fixed the make distclean target to avoid a failure which could occur when you ran it right after a make clean (it might have failed in other situations as well). [David] o Updated nmap-mac-prefixes with the latest MAC address prefix data from http://standards.ieee.org/regauth/oui/oui.txt as of 5/20/09. [Fyodor] o Ncat now makes sockets blocking before handing them off to another program with --exec or --sh-exec. This is to resolve a failure where the command "ncat --exec /usr/bin/yes localhost" would stop sending because yes would send data so quickly that kernel send buffers could not keep up and socket writes would start generating EAGAIN errors. [Venkat] o Ncat now ignores SIGPIPE in listen mode. This fixes the command "yes | ncat -l --keep-open --send-only", which was failing after the first client disconnected due to a broken pipe signal when Ncat would try to write more date before realizing that the client had closed the connection. o Version detection can now detect Ncat's --chat mode. [David] Enjoy the new release! -Fyodor _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- Nmap 4.85BETA10 released - needs testing! Fyodor (Jun 12)